Banking trojans are currently the most widespread class of malicious software. They are particularly dangerous because they directly impact the victim's financial resources. Modern banking trojans are distributed as kits that anyone can customize. The existence of various customizations, often sold or traded for money, logically lead to a high volume of trojan variants, which traditional approaches based on manual analysis and signature crafting cannot possibly handle. Modern banking trojans such as ZeuS, SpyEye, or Citadel all have a common, distinctive feature called WebInject, which eases the creation of custom procedures to inject arbitrary content in a (banking) website page. The attacker's goal is to modify the page, typically with additional, legitimate-looking input fields, which capture sensitive information entered by the victim. The result is that a web page rendered on an infected client differs from the very same page rendered on a clean machine. We leveraged this observation to implement a system to generate cross-platform signatures of any arbitrary WebInject-based trojan with no reverse-engineering effort required. These fingerprints can be used to determine whether a client is infected or not. Our evaluation on 56 distinct ZeuS samples and 213 banking websites shows that our system reaches a good accuracy level and it is able to extract fingerprints from infected clients with a fully-centralized and server-controlled infrastructure.